diff options
| author | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2025-04-23 08:35:20 +0000 |
|---|---|---|
| committer | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2025-04-23 08:35:20 +0000 |
| commit | b1c032fcca9b3d48d247a9daf45db70894ee0839 (patch) | |
| tree | ed9be97463a9e191de79aacb6963f048d11ec3ff | |
| parent | fc341f65709f2bbf239a9cc56250d9fa8eb304f8 (diff) | |
2fa: test all valid periods for tokens of type email, fixes #5364
Closes #5364
Merge request studip/studip!4128
| -rw-r--r-- | lib/models/TFASecret.php | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/lib/models/TFASecret.php b/lib/models/TFASecret.php index 12d1ae2..d415e3c 100644 --- a/lib/models/TFASecret.php +++ b/lib/models/TFASecret.php @@ -175,23 +175,37 @@ class TFASecret extends SimpleORMap $window = null; } - if ($this->getTOTP()->verify($token, $timestamp, $window)) { - if (!$this->confirmed) { - $this->confirmed = true; - $this->store(); - } + if ($this->type === 'email') { + // Test for "window" number of "period" (this will ensure that old + // tokens are validated correctly) + $period = self::TYPES[$this->type]['period']; + + $i = 0; + do { + $verified = $this->getTOTP()->verify($token, $timestamp - $i * $period, $window); + $i += 1; + } while (!$verified && $i < self::TYPES[$this->type]['window']); + } else { + $verified = $this->getTOTP()->verify($token, $timestamp, $window); + } - if (!$allow_reuse) { - TFAToken::create([ - 'user_id' => $this->user_id, - 'token' => $token, - ]); - } + if (!$verified) { + return false; + } + + if (!$this->confirmed) { + $this->confirmed = true; + $this->store(); + } - return true; + if (!$allow_reuse) { + TFAToken::create([ + 'user_id' => $this->user_id, + 'token' => $token, + ]); } - return false; + return true; } /** |